Merge pull request #10872 from AJAlabs/master
Update Getting Started Guide - Strong Parameter [ci skip]
This commit is contained in:
commit
2d31df49d5
@ -531,21 +531,28 @@ and change the `create` action to look like this:
|
||||
|
||||
```ruby
|
||||
def create
|
||||
@post = Post.new(params[:post])
|
||||
|
||||
@post = Post.new(post_params)
|
||||
|
||||
@post.save
|
||||
redirect_to @post
|
||||
redirect_to @post
|
||||
end
|
||||
|
||||
private
|
||||
def post_params
|
||||
params.require(:post).permit(:title, :text)
|
||||
end
|
||||
```
|
||||
|
||||
Here's what's going on: every Rails model can be initialized with its
|
||||
respective attributes, which are automatically mapped to the respective
|
||||
database columns. In the first line we do just that (remember that
|
||||
`params[:post]` contains the attributes we're interested in). Then,
|
||||
`post_params` contains the attributes we're interested in). Then,
|
||||
`@post.save` is responsible for saving the model in the database.
|
||||
Finally, we redirect the user to the `show` action,
|
||||
which we'll define later.
|
||||
|
||||
TIP: Note that `def post_params` is private. This new approach prevents an attacker from setting the model’s attributes by manipulating the hash passed to the model. For more information, refer to [this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/).
|
||||
|
||||
TIP: As we'll see later, `@post.save` returns a boolean indicating
|
||||
whether the model was saved or not.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user